How to approach security?

[adrianrudnik]

Given that IPX is the default and I'm trying to run a simple node server SSR enabled application with images, what mechanisms are there to prevent someone to run a simple

curl https://.../_ipx/enlarge,s_10000x1000&w_10000&q_100/someimage.jpg

Because right now, in production, I can hold a CPU hostage for good 20 seconds and produce a > 40mb image per request.

I only found mentions of the nonce, but that seems to be CSP only and does not prevent malicious configurations or scripts.

[yudin-s]

You are right to worry about this. A public image optimizer endpoint is effectively a small image-processing API, so you need limits around it.

With the default IPX provider, the first line of defense is to restrict what can be fetched:

export default defineNuxtConfig({
  runtimeConfig: {
    ipx: {
      domains: ["your-cdn.example.com"],
      alias: {
        images: "https://your-cdn.example.com/images",
      },
    },
  },
})

That prevents the endpoint from becoming an open proxy, but it does not fully solve abuse via huge resize/modifier combinations.

For that, I would add one or more of these:

• put a CDN/WAF/rate limit in front of /_ipx/**
• cache optimized results aggressively
• only generate image URLs through presets/sizes your app actually uses
• block oversized w, h, s, quality, or expensive modifier combinations in middleware/proxy before they reach IPX
• for private/origin images, use an alias instead of arbitrary remote URLs

The nonce option is CSP-related and does not protect the optimizer endpoint from direct requests. If you need hard guarantees on dimensions/modifiers, enforce them before IPX processes the request.

[adrianrudnik]

Thanks for the pointers! I moved to a different approach, using imgproxy and using server components / nuxt islands to ensure that images get signed on the server side, even though there is a bit overhead.